When Data Protection Fails to Protect: Law, Power, and Postcolonial Governance in Bangladesh

A new academic paper provides a critical legal and institutional analysis of Bangladesh's emerging data protection regime, revealing significant gaps between policy and practice. Researchers from the University of Illinois Urbana-Champaign and Cornell University systematically reviewed three regulatory instruments introduced in 2025: the Personal Data Protection Ordinance, the Cyber Security Ordinance, and the National Data Governance Ordinance. Their findings, published on arXiv, show that while these laws signal a formal commitment to data protection, they collectively fail to provide meaningful safeguards for citizens' personal data amid rapid digitization of government services, finance, and telecom.

The study identifies three core barriers undermining the framework's effectiveness. First, the regime suffers from limited institutional independence and uneven regulatory capacity, leaving enforcement weak. Second, the laws are built on a misaligned legal assumption of individualized, autonomous data subjects, which does not reflect the reality of mediated access and communal data practices. Most critically, the formal frameworks 'invisibilize' prevalent sociotechnical layers, such as informal data flows and access via human intermediaries, rendering the written protections nearly impossible to operationalize on the ground. This analysis expands Human-Computer Interaction (HCI) scholarship by framing data protection as a complex sociotechnical design problem shaped by the informal infrastructures common in the Global South.